"A virtual machine using KVM need not run a complete operating system or emulate a full suite of hardware devices. Using the KVM API, a program can run code inside a sandbox and provide arbitrary virtual hardware interfaces to that sandbox."
This is amazing. If you're building something platform-level, like for e.g. NaCl, I presume you could use the KVM API to provide stronger isolation beyond the standard limited isolation of a regular Linux process.
"Cappsule is a new kind of hypervisor developed by Quarkslab (to our knowledge, there’s no similar public project). Its goal is to virtualize any software on the fly (e.g. web browser, office suite, media player) into lightweight VMs called cappsules. Attacks are confined inside cappsules and therefore don’t have any impact on the host OS. Applications don’t need to be repackaged, and their usage remain the same for the end user: it’s completely transparent. Moreover, the OS doesn’t need to be reinstalled nor modified."
That seems to run browser sessions in VMs on network appliances, then it sends a processed (?) version to endpoints.
Cappsule is currently targeted at Linux desktops. It could theoretically be used on a Linux server to implement the isolation component of Spikes Security, but additional functionality would be needed to generate the "safe" version of content for endpoints, or to forward pixels to thin clients.
Absolutely. You can also provide arbitrary memory-mapped devices based on any memory in your host process, including a memory-mapped device or shared memory region.
This is amazing. If you're building something platform-level, like for e.g. NaCl, I presume you could use the KVM API to provide stronger isolation beyond the standard limited isolation of a regular Linux process.